Hacking has gone commercial! What was once a playground for script kiddies, as well as hackers trying to build online reputations and earn bragging rights, has turned into big business. Spammers--and, increasingly, phishers--are using malicious mobile code (e.g., worms, viruses, Trojan horses) to spread rogue email messages.

According to MessageLabs, a leading email-service security provider, spam accounted for 73 percent of all email in 2004. What might surprise you even more is that compromised, open SMTP relay servers didn't send most of that spam. In its October 2004 report, MessageLabs also revealed that the source of 70 percent of the spam was spambot networks. Let's take a look at what spambots are, how they work, how they pose a threat to your environment, and how you can combat them.

What Are Spambots?
Spambots are malware specifically built to find innocent machines, take control, and send spam. Early spambots roamed the Internet, harvesting legitimate email addresses and forwarding them to the spammer or taking advantage of SMTP servers with open relays. Today, spambots have mutated into self-replicating, self-updating, mass-mailing spam engines. In a typical scenario, a spambot uses a malicious mobile-code vector to infect a PC. The end user either clicks a rogue email attachment, letting the spam worm exploit an unpatched buffer-overflow vulnerability, or the user unknowingly installs the spambot in a shareware scenario. The spambot then installs itself into one of the computer's many auto-run areas, sets up an SMTP engine, and begins sending spam messages.

Advanced spambots connect to remote Web sites (called motherships), then proceed to download updated versions of themselves along with new spam lists. A spambot's behavior can change according to newly downloaded code, and the products that get hyped in the resulting spam and targeted email addresses can change on the fly. You could once track motherships and block them from distributing malicious code. But today, a spambot's mothership--by borrowing techniques that peer-to-peer (P2P) networks use for hiding unlicensed music files--is just another previously exploited PC. A spambot can now randomly turn exploited PCs into motherships and others into spam senders, and it can constantly alter the origin of the malicious data.

Spambots are becoming increasingly sophisticated, utilizing encryption, polymorphism (changing encryption keys each generation), metamorphism (changing code or functionality each generation), stealth hiding, and removal-complication techniques. Even the random mothership routines have become more complex. After the initial infection, the spambot downloads other spambots, spyware, and Trojan horses. Each time a spambot starts, it updates itself and downloads new malware programs. Trying to determine the origin of a threat is nearly impossible--which is, of course, the spammer's goal. (One way to tell the difference between a spambot and a typical email worm is that the latter will send itself only to email addresses harvested from the local compromised machine, whereas the spambot will send unsolicited email to very large lists or randomly generated outside email addresses.)

Like traditional worms and Trojan horses, spambots infect tens of thousands of computers, creating large zombie networks waiting to do the spammer's bidding. According to MessageLabs, last year, only 12 percent of the 800 million daily messages that left the network of cable Internet provider Comcast originated from a Comcast email server. The remainder were spam messages relayed through compromised systems. After months of complaints, Comcast established antispam defenses and decreased spam by at least 35 percent. Sadly, large spambot networks exist, unchecked, all over the Internet. In fact, your parents or grandparents might be spammers without even knowing it.

4 Spambot Mechanisms
After a spambot has successfully infected a PC, its purpose is to set up one of four mechanisms to spread spam: an SMTP engine, an SMTP relay, an HTTP proxy, or a proxy relay. The simplest spambots install a standalone SMTP engine, then begin generating and sending unsolicited email. An SMTP relay mimics an SMTP email server, with an open relay. With a custom open SMTP relay, a spammer no longer needs to find a vulnerable SMTP server--he or she can just create one. The spammer sends malicious mail from one location to the newly created SMTP open relay, which then forwards the mail to the final destination.

Smart administrators block firewall port 25 (SMTP) for traffic originating from the desktop because they know only their corporate email servers need SMTP to work. (Microsoft Outlook uses RPC to talk to Microsoft Exchange Server servers.) However, port 80 is almost always open for outgoing communication, to let users surf the Internet. To take advantage of this always-available port, spambots often install HTTP proxies or proxy relays. HTTP proxies are Web servers that use the CONNECT command to redirect traffic to a different port or destination. The original purpose of the CONNECT command was to give flexibility to HTTP Secure (HTTPS) communications. If a spammer can find a Web proxy or relay (which can often be an enabled part of a regular Web server) that allows anonymous CONNECT commands to be relayed to other servers and ports, he or she has hit the jackpot. HTTP relays are this year's open SMTP relay. Spammers and spambots are testing Web servers for open HTTP relays more than any other HTTP exploit. The spambot can also install proxy-relay software that accepts commands and directs traffic to any port and any destination.

All four mechanisms are convenient ways to send messages from a spoofed source. If the receiving server sends back a nondelivery report (NDR) error message, the spoofed sender address gets it--not the true location of the spambot. Unfortunately, the constant spoofing results in the delivery of NDRs to innocent SMTP servers, where beleaguered administrators must deal with them. Experienced administrators will recognize these NDRs for what they are and ignore them. If administrators aren't as confident in the security of their network or server, they must waste time ruling out the false-positive error messages.

Worse, many companies are falsely accusing innocent email servers of sending spam and are incorrectly posting the spoofed sources to spam blacklists. If your company is still sending messages to senders suspected of sending email viruses or spam, stop! Most sender addresses are spoofed. Odds are, the sender address doesn't represent the company or person it claims to be, and therefore your warnings are almost always incorrect.

Spambot Examples
Increasingly sophisticated and feature-rich, spambots can be the most aggressive automated malware you face. Here are some sample spambots and their behaviors.

Proxy Guzu. The Proxy Guzu Trojan horse is tame as far as today's spambots go. After it's executed, Proxy Guzu installs an SMTP engine, connects to a Microsoft Hotmail email server, and sends a notification email message to a predefined address announcing the IP address of the exploited machine and the port number on which to contact the Trojan horse. Proxy Guzu has stealth capabilities and can hide from Windows Task Manager.

Sobig. The Sobig series of worms is widely considered the first sophisticated cross-breeding of traditional worm and spambot. Whereas most worms simply send themselves to email addresses collected on the exploited computer, Sobig creates an open proxy server. For this reason, Sobig has repopularized the notion of downloading code updates on the fly.

Sobig arrives as a typical email malware attachment. After it installs itself, it downloads a new version of itself from a predefined Web site. Then, that new version might download another version from yet another Web site. Another stage of the worm uses Wingate Proxy Server (a legitimate proxy program used in violation of its license) to install an open proxy server. Different versions of Sobig enable and disable themselves on various dates.

Antivirus experts suspected a spam connection for two reasons. First, although Sobig distributed itself through email, initial distributions occurred over rogue open proxies (a common spammer trick). Second, after its appearance, spambots and zombie spam networks began appearing en masse. If Sobig wasn't originally a spambot, speculation alone must have triggered spammers into action.

Jeem. The Jeem backdoor Trojan horse, discovered in November 2002, was among the first malware programs that antivirus experts identified as having spammer-dedicated functionality. Jeem operates as an unauthorized SMTP server and HTTP proxy. It installs itself in the \%system% directory as msrexe.exe and modifies the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run autorun registry subkey by appending \System Service="%system%\msrexe.exe".

Jeem opens three TCP ports that are randomly generated based on the OS and the configured time zone. The lowest-numbered port could be used as an SMTP server, the middle port as an HTTP proxy, and the highest-numbered port to exchange the sent data. Jeem is a part of the larger Maz Trojan horse, lending the spambot a reputation for being hard to track. Many antivirus products detect the parent but not the child Jeem process that Maz drops.

Anymail. The Anymail Trojan horse downloads a configuration file (config.cfg) from a hard-coded URL, then uses it to send email to targeted recipients. The configuration file is encrypted and contains the links to a remote Web site, at which another configuration file contains the necessary information about the SMTP server to be used; the recipient list to be spammed; the email message's subject, body, and attachments; and the time interval that determines when to send messages. To update configuration information, the Trojan horse reads the remote configuration file at periodic intervals. The related sended_count.cfg file is an encrypted log file that contains the number of messages sent.

Antispambot Honeypot
Because spam is so prevalent, many honeypot software programs contain antispam functionality. As a test, I set up a Windows honeypot that mimicked open SMTP and HTTP relays. In 26 minutes, the first spambot probe arrived--two packets sent to port 80 used the CONNECT command to see whether the proxy permitted anonymous connections and redirection. The probes sent test messages to random-looking Hotmail addresses, which were probably created to test whether a found relay is fully functional. I allowed the test email to be successful so that the spammer or spambot would confirm that the new victim relay could send email to the spammer's intended victims. In earlier honeypot tests, I didn't allow the system to pass any successful connections, and the test probes didn't result in more activity.

Within 6 minutes, another spambot from the same source IP address arrived and installed itself. After another 3 minutes, another spambot from a separate IP address installed itself, not even taking the time to test before the installation. Already, I had two spambots battling it out. Both spambots connected to remote sites to download more code, then installed additional executables. Both spambots also installed spyware and modified Microsoft Internet Explorer (IE). One of them modified the honeypot's HOSTS file. Then, the spamming started. Hundreds of messages to be relayed (to Hotmail servers and email addresses) were soon arriving every second. I directed the honeypot not to send out any spam but to respond to the remote spam source as if it had been successful.

Within minutes, the honeynet's network bandwidth was fully utilized--and if email had actually been leaving the demilitarized zone (DMZ), traffic would have been doubled. In less than an hour, the spambots had generated tens of thousands of messages. I was able to see the spam (i.e., messages about weight loss and anti-spyware programs) the spambots were generating, as well as who they were sending it to (i.e., random hotmail.com addresses). There was so much spam that the separate spambots were competing to make more connections to the honeypot. In just over a day, my honeypot collected hundreds of megabytes of messages. This type of activity is occurring around the world on thousands of compromised machines.

Spambots are attacking more forms of legitimate communications beyond email. Spambots have been attacking Instant Messaging (IM) channels for a few years. Over the past year, spam has started to invade blogging sites. Unfortunately, spambots aren't our only problem. Phishing attacks and spyware are becoming more and more prevalent. According to a Gartner study, phishing attacks fool perhaps 3 to 10 percent of those who receive them. Spyware and downloaded Trojan horses exist on nearly every PC connected to the Internet. All three rogue-email types are becoming increasingly more sophisticated and harder to stop. The only long-term, viable solutions are more resistant OSs, better software defenses, default authentication, and increased law enforcement.

Today's Defenses
Unfortunately, all those defenses will take time to implement and to gain widespread acceptance. Here are some steps you can take to block spambots:

  • Use up-to-date antivirus software.
  • Use a spam and spyware blocker
  • .
  • Understand and minimize the ability of unauthorized programs to load in your computer's auto-run areas. Download and use Sysinternal's excellent Autoruns utility.
  • Block port 25 (or even better, all ports) against any communication originating from a computer that isn't expressly authorized. Some administrators allow outgoing port 25 information from any PC on the network, when they should be authorizing only the mail server. Set your perimeter egress filters appropriately.
  • Investigate suspicious originating port traffic. (For more information about this process, see the "Port-Enumeration Tools" sidebar.)
  • Block potentially dangerous file attachments.
  • Don't let users browse the Internet or conduct nonadministrative activities while logged on as an administrative user.
  • Don't let users browse the Internet or conduct nonadministrative activities from the server.
  • Keep systems patched.
  • If you're serious about stopping spambots, consider running a honeypot as a spam trap or as an early warning system within your own environment. A spam trap is a honeypot that poses as an open relay. Every spammer or spambot that connects to the fake open relay equates to millions of foiled spam messages. A spam honeypot inside your perimeter can alert you to an active spambot. Some security administrators use spam traps to track spammers, and occasionally these traps have led to court cases.

    To find dozens of solutions, simply Google the words spam trap or spam tarpit. Or check out "Intrusion Detection, Honeypots and Incident Handling Resources" (http://www.honeypots.net/honeypots/products) for SMTP tarpit solutions. As with any new security technology, you should perform proper research before implementing such a solution.

    Keep Your Guard Up
    Increasing numbers of phishers and spyware authors are technically co-opting spambot malware and networks. In the long run, default authentication on the CPU, OS, and application platforms will minimize the nuisances and threats of spambots and their ilk, but until then, you need to keep your guard up against this ever-increasing danger.